In an urgent manner, VMware and Xen issue critical security fixes

VMware has said earlier this morning that its vRealize Orchestrator, vRealize Operations, vCenter Operations
and vCenter Application Discovery Manager software all need fixing to harden them against a critical deserialization
security vulnerability.

The security hole involves Apache Commons-collections and a specially constructed chain of classes.

These security bugs can also result in remote code execution, with the permissions of the application using
the Commons-collections library, vmWare has said.

To be sure, vRealize Orchestrator 6.x can be cured with a fix, while vCenter Orchestrator's inoculation
is yours for the taking for version 5.x on the company's site.

Security patches for vRealize Operations and vCenter operations are on their way VMware says, but with a more-or-less
acceptable delay since the exploitation is limited to just local users.

For its part, vCenter Application Discovery Manager's patch is still pending for now. We should get news about that
one soon we are told.

System administrators of virtualised platforms are coping with this just before Christmas, as the Xen Project has
also popped out some patches as well.

For example, XSE-164 could see some nasty escalation of the qemu process, while XSA-165 could make
it possible to retrieve encryption keys from a Xen-powered rig.

And as for XSA-166, well it could offer some priviledge escalation possibilities to potential attackers,
so system admins should be on the lookout for all those nasty surprises.